Frequently Asked Questions
Q: How are University areas selected for audits?
Q: What are auditable activities?
Q: What are internal controls?
Q: What steps are involved in the audit process?
Q: How long does an audit take?
Q: I'm familiar with the state auditors - is UofM internal audit the same thing?
Q: Who receives reports from internal audit?
Q: How can I propose a new University policy, or a change to an existing policy?
Q: How long does my office have to retain its files and records?
Q: Where can I find the guidelines for the University Purchasing Card?
Q: How are University areas selected for audits?
A: Areas are selected for review in several ways: our annual audit risk analysis, state or federal requirements, and special request or other circumstances such as investigations. Some of the following factors considered in determining the relative risk of each area to the University are:
- Findings from prior audits
- Time since last audit
- Size and/or complexity of operations
- Whether the department collects revenue and/or volume of collections
- Recent changes in management, staff, and/or business process changes
- Public sensitivity
- Evaluation of internal controls
- Comments or concerns of the Audit Committee or senior management
We use this information to establish priorities and develop our annual audit schedule. Because Internal Audit operates as a service to management, our schedule is open to possible revision any time during the fiscal year to accommodate administrative requests or other special circumstances.
Q: What are auditable activities?
A: Auditable University activities include but are not limited to:
- Cost centers and auxiliary services
- General ledger account balances
- Information systems (manual and computerized)
- Grants and contracts
- Academic programs, departments, schools, and colleges
- Athletics programs and NCAA compliance
- Equipment inventory
- Functions such as information technology, procurement, financial aid, and human resources
- Transaction activities such as accounts receivable, purchasing, accounts payable and disbursements, inventory management and valuation, and payroll
-
Compliance with laws and regulations
Q: What are internal controls?
A: "Internal control" is a term commonly used by auditors as they plan and carry out departmental audits. The integrity of the University's accounting and operating systems depends on properly functioning controls. The system of internal controls consists of all measures taken by an organization to:
- Safeguard assets from waste and fraud
- Promote accuracy and reliability in the accounting records
- Encourage and measure compliance with policies
- Evaluate the efficiency of operations
Some examples of internal controls include separating the duties of handling cash and reconciling deposits, limiting access to petty cash and safe combinations to a few employees, and separating the duties of preparing payroll and distributing paychecks.
Q: What steps are involved in the audit process?
A: Although every audit is unique the following audit process generally occurs for most engagements.
Audit Planning
The auditor assigned to the audit will review the files of prior audits in your area (if any), review applicable professional literature, research any applicable policies or statutes, and then prepare an initial audit program, which is basically a list of steps we will perform in the audit. This work will be performed in our office.
Audit Announcement Notification
An audit announcement and an internal control questionnaire is sent at the onset of the audit to the primary contacts of the area being audited. The internal control questionnaire and any supporting documentation is typically due back to us within two weeks.
Opening Conference
Next, the auditors assigned to the audit will arrange a meeting with the financial manager(s) or directors(s) of the area or department being audited. In the meeting, the scope, objectives and criteria of the audit will be discussed. We explain what we expect to happen in the audit and give you the opportunity to share any concerns you may have. For example, if you would like us to review a particular process or procedure in your unit, let us know at this meeting and we will try to include it in our audit. This meeting is usually held in the area or department being audited.
Fieldwork
The audit is performed by reviewing and observing practices and procedures, examining documentation, and performing tests to determine the adequacy of the internal controls, or safeguards in place, and compliance with applicable policies. During this process we will also likely interview employees in the department to inquire about their duties. We may flowchart the processes being reviewed to better understand and evaluate them. Some of this work will be performed in our office and some in the unit being audited.
This phase of the audit is the most time consuming, but a very important goal of our internal audit staff is to minimize the disruption to the department under audit.
Exit Conference
Throughout our review we will try to be open regarding what we find and plan to recommend in the audit report. Once we complete the fieldwork, we will meet informally with departmental management and other necessary responsible officials to discuss our preliminary results. If we have misinterpreted anything in the review, or if you disagree with our conclusions, you have the opportunity to let us know so that we can make clarifications before issuing our report. Our goal is to give assurance to management, the Audit Committee and the Board of Trustees that strong controls are in place and working. You can expect a heads up on any potential weakness we run across, but we are not "out to get" anybody. Our desire is for this university to operate in the most efficient and effective way possible.
Management Responses and Plans of Action
At this point we will ask for management's written corrective action plan(s) within two weeks of the exit conference for all issues identified. The purpose of an action plan is for management to specifically state how the issue will be resolved. Management will be also required to submit a target completion date in which the action plan will be implemented, as well as the name and title of a specific person who will be responsible for ensuring that the corrective action is completed. After receiving your response, we will determine whether your planned actions are appropriate. Action plans will be included verbatim in the final audit report.
Report Writing
After the exit conference and the receipt of management's corrective action plan(s), we will write a report stating what we did, what we found, any recommendations for improvement, and management's corrective action plans. A draft audit report will be circulated to all levels of management involved in the audit area to receive final input.
Reporting Process
The final audit report will be sent to all levels of management involved in the audited area, other University officials, and the Audit Committee of the Board of Trustees.
Follow-up Process
A follow up audit will be performed at the end of the quarter in which the action plan is due to determine whether the corrective action plan(s) have been implemented. If they have not been implemented, we will restate in writing the reason(s) for and importance of addressing our recommendation(s). The scope of this review will vary and may result in a follow-up report to the Audit Committee of the Board of Trustees depending on the status of corrective actions.
Q: How long does an audit take?
A: Audits can take from several days to several months depending on the type and complexity of the audit.
Q: In light of all the concern about privacy of personal information, why is it necessary for internal auditors to have access to all records, and why shouldn't students and staff be worried about this?
A: Complete access to records ensures that auditors are able to carry out their job responsibilities. Rest assured that internal auditors are held to very high standards with regard to confidentiality and safeguarding information. The department adheres to the Institute of Internal Auditors Code of Ethics, which includes the following statement: "Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so."
Q: I'm familiar with the state auditors - is internal audit the same thing?
A: No. The state auditors are employed by the State of Tennessee. Each year they arrive on campus and perform a required external audit of the University's financial statements. The UofM internal auditors are employed by the University of Memphis and report to the UofM President and also to the Audit Committee of the University of Memphis Board of Trustees.
Q: Who receives reports from internal audit?
A: Reports are issued to the University President and the Audit Committee. Others receive copies based on their relationship to the activity or department audited - usually the division vice president, the activity/department director, and others on a "need to know" basis, depending on the circumstances
Q: How can I propose a new University policy, or a change to an existing policy?
A: Contact your representative on the Policy Review Board. A list of members may be found at http://policies.memphis.edu/prb.htm
Q: How long does my office have to retain its files and records?
A: The University's record retention program is administered by the Vice President of Business and Finance. Information about the University's policy and current record retention schedule may be found at this policy link "Records Management" or at this records management link "Records Schedule".
Q: Where do I find the guidelines for the University Purchasing card?
A: Procurement and Contract Services maintains the Purchasing Card Program and the card guidelines. The office may be contacted at 901.678.2265 or 901.678.3673. purchasing@memphis.edu
Link to Card Guidelines:
Purchasing Card Program